Tuesday, March 10th 2020

AMD Processors Since 2011 Hit with Cache Attack Vulnerabilities: Take A Way

Cybersecurity researcher Moritz Lipp and his colleagues from the Graz University of Technology and the University of Rennes uncovered two new security vulnerabilities affecting all AMD CPU microarchitectures going back to 2011, detailed in a research paper titled "Take A Way." These include "Bulldozer" and its derivatives ("Piledriver," "Excavator," etc.,) and the newer "Zen," "Zen+," and "Zen 2" microarchitectures. The vulnerabilities are specific to AMD's proprietary L1D cache way predictor component. It is described in the security paper's abstract as a means for the processor to "predict in which cache way a certain address is located, so that consequently only that way is accessed, reducing the processor's power consumption."

By reverse engineering the L1D cache way predictor in AMD microarchitectures dating from 2011 to 2019, Lipp, et al, discovered two new attack vectors with which an attacker can monitor the victim's memory accesses. These vectors are named "Collide+Probe," and "Load+Reload." The paper describes the first vector as follows: "With Collide+Probe, an attacker can monitor a victim's memory accesses without knowledge of physical addresses or shared memory when time-sharing a logical core." The second vector is described as "With Load+Reload, we exploit the way predictor to obtain highly-accurate memory-access traces of victims on the same physical core." The two vulnerabilities have not been assigned CVE entries at the time of this writing. The research paper, however, describes the L1D cache way predictor in AMD processors as being vulnerable to attacks that can reveal contents of memory or even keys to a vulnerable AES implementation. For now there is no mitigation to these attacks, but the company is reportedly working on firmware and driver updates. Access the research paper here.
AMD L1D cache way predictor logic found vulnerable in Take A Way attack classes.
Source: Cowcotland
Add your own comment

46 Comments on AMD Processors Since 2011 Hit with Cache Attack Vulnerabilities: Take A Way

#1
sutyi
ACKNOWLEDGMENTS

We thank our anonymous reviewers for their comments and sugges-tions that helped improving the paper. The project was supportedby the Austrian Research Promotion Agency (FFG) via the K-projectDeSSnet, which is funded in the context of COMET - CompetenceCenters for Excellent Technologies by BMVIT, BMWFW, Styria, andCarinthia. It was also supported by the European Research Coun-cil (ERC) under the European Union’s Horizon 2020 research andinnovation programme (grant agreement No 681402). This workalso benefited from the support of the project ANR-19-CE39-0007MIAOUS of the French National Research Agency (ANR). Additional funding was provided by generous gifts from Intel. Any opinions, findings, and conclusions or recommendations expressed in thispaper are those of the authors and do not necessarily reflect theviews of the funding parties.
Oh Intel... please never change.
Posted on Reply
#2
Recus
sutyiOh Intel... please never change.
Commissioned by AMD QA Consultants Determines AMD's Most Stable Graphics Drivers in the Industry

Recent drivers hell says otherwise
Posted on Reply
#3
stimpy88
"Additional funding was provided by generous gifts from Intel."

I have a feeling that we will see more of this from now on, as the fruits of Intel's money become "published"...
Posted on Reply
#4
londiste
Graz University of Technology has been in the forefront of security vulnerabilities research since Spectre and Meltdown. At least three of the authors of this paper were also among authors of their Meltdown paper and at least one was among authors of their Spectre paper.

I absolutely do not get the instant dismissal when someone spots Intel somewhere.
sutyiOh Intel... please never change.
Fallout: Leaking Data on Meltdown-resistant CPUsACKNOWLEDGMENTS
We want to thank the reviewers for their feedback, as well as Vedad Hadžić from Graz University of Technology and Julian Stecklina from Cyberus Technology for contributing ideas and experiments. This work has been supported by the Austrian Research Promotion Agency (FFG) via the project ESPRESSO, which is funded by the Province of Styria and the Business Promotion Agencies of Styria and Carinthia. It was also supported by the Austrian Research Promotion Agency (FFG) via the K-project DeSSnet, which is funded in the context of COMET – Competence Centers for Excellent Technologies by BMVIT, BMWFW, Styria and Carinthia. It has also received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 681402), by the Defense Advanced Research Projects Agency (DARPA) under contract FA8750-19-C-0531, and by the National Science Foundation under grant CNS-1814406. Additional funding was provided by a generous gift from Intel and AMD.
Oh AMD... please never change?
Posted on Reply
#5
lexluthermiester
Ok, this is some scary stuff. AMD has a serious problem to solve.

In the referenced PDF, section 5.2.3, a method is described by which Javascript itself can be configured to attack a system and supply harvested data straight through both Chrome and Firefox browsers. Theoretically, ANY browser that uses Javascript(99%) can potentially be used to attack a subject system.

It will be interesting to review the analysis and CVE for these new vulnerabilities.
Posted on Reply
#6
londiste
lexluthermiesterIn the referenced PDF, section 5.2.3, a method is described by which Javascript itself can be configured to attack a system and supply harvested data straight through both Chrome and Firefox browsers. Theoretically, ANY browser that uses Javascript(99%) can potentially be used to attack a subject system.
Isn't this the same timing approach as Spectre? Which has already been mitigated by browsers not using accurate enough timers to mount a successful attack?
Posted on Reply
#7
Chomiq
sutyiOh Intel... please never change.
Want to bet that similar line can be found in Spectre and Meltdown papers?
Posted on Reply
#8
TheLostSwede
News Editor
lexluthermiesterOk, this is some scary stuff. AMD has a serious problem to solve.

In the referenced PDF, section 5.2.3, a method is described by which Javascript itself can be configured to attack a system and supply harvested data straight through both Chrome and Firefox browsers. Theoretically, ANY browser that uses Javascript(99%) can potentially be used to attack a subject system.

It will be interesting to review the analysis and CVE for these new vulnerabilities.
Supposedly this only allows for short snippets of data and might not even be usable for a full password.
Posted on Reply
#9
londiste
ChomiqWant to bet that similar line can be found in Spectre and Meltdown papers?
Actually, no. I checked. Spectre/Meltdown papers research was not supported by neither Intel nor AMD. More recent research has been supported by Intel and sometimes by AMD.
Posted on Reply
#10
Vayra86
sutyiOh Intel... please never change.
RecusCommissioned by AMD QA Consultants Determines AMD's Most Stable Graphics Drivers in the Industry

Recent drivers hell says otherwise
Nice race to the bottom, guys. You can crawl back into your hole now and leave this for the adults.
Posted on Reply
#11
Vya Domus
londisteI absolutely do not get the instant dismissal when someone spots Intel somewhere.
Then you don't know their history, the evidence on why nothing that is touched by Intel can be fully trusted is immense. You can chose to believe in the just world fallacy where everyone is well intended unless otherwise proven but I for one don't, seen too many instances when that wasn't the case.

For the record, I don't dismiss the paper, it's not like I think it's nonsense but I do question it's purpose and how well it was timed with other events.
Posted on Reply
#12
londiste
Vya DomusThen you don't know their history, the evidence on why nothing that is touched by Intel can be fully trusted is immense. You can chose to believe in the just world fallacy where everyone is well intended unless otherwise proven but I for one don't, seen too many instances when that wasn't the case.
I do know the history. I would suspect better than most. Still, "nothing that is touched by Intel" is quite extreme, don't you think?
In line with the context used here, do you think we should dismiss any and all research papers Intel has been sponsoring? ;)
Vya DomusFor the record, I don't dismiss the paper, it's not like I think it's nonsense but I do question it's purpose and how well it was timed with other events.
What events? This was disclosed to AMD last August and published now. Timing a 6-month window would seem too big of a hassle to even try.

Edit:
This is kind of weird though. Instead of discussing what the paper found, whether this has impact or merit (it should, being an academic paper which I assume is peer reviewed), we are discussing Intel because there is a sidenote in the paper that Intel supported researchers. This kind of support is not exactly abnormal.
Posted on Reply
#13
_Flare
Aslong as none of any vunerabilities are fantasy, they are legit, no matter who sponsored the research.
This research sponsoring is a legit method of competitive behaviour in my opinion and will lead to more secure products of all participants.
Posted on Reply
#14
Chomiq
londisteActually, no. I checked. Spectre/Meltdown papers research was not supported by neither Intel nor AMD. More recent research has been supported by Intel and sometimes by AMD.
Try CacheOut, "gifts" from both Intel and AMD.
Posted on Reply
#15
EarthDog
So... @R-T-B, what's the story here...

Much ado about nothing? Something?
Posted on Reply
#16
Vya Domus
londisteThis was disclosed to AMD last August and published now.
Published now, right along when the financial analyst day took place. A pure coincidence I'd imagine.
londisteStill, "nothing that is touched by Intel" is quite extreme
First or second time around when Intel did something shady ? Yeah, it would be extreme. After the plethora of examples when that happened with some being confirmed and punished by authorities, nah not that extreme anymore. Again, it's your personal choice to believe nothing is wrong should be the de facto stance on this, mine isn't.
Posted on Reply
#17
mtcn77
EarthDogMuch ado about nothing? Something?
Yeah, R-T-B we need more semantic arguments. Like the kind that don't show up when meltdown is mentioned, but brought up the instant it is called a spectre variant. Let us throw the baby out with the bathwater.
Posted on Reply
#19
Turmania
If there is a vulnerability with Intel related products, we condemn them.
If there is a vulnerability with AMD related products we condemn Intel once again..
There is never anything wrong with AMD.
Posted on Reply
#20
the54thvoid
Super Intoxicated Moderator
Stay on topic please. Discussion about the impact or real-world likelihood of the vulnerability affecting us is welcome. Sniping back and forth about "AMD this... Intel that" is not.
Posted on Reply
#21
zlobby
stimpy88"Additional funding was provided by generous gifts from Intel."

I have a feeling that we will see more of this from now on, as the fruits of Intel's money become "published"...
Although I feel you, I must admit that all users benefit from this.

The more pressure on the companies the greater the chance they do things right.
Posted on Reply
#22
mtcn77
Spectre is what again? They say in this report, the vulnerability is global accessibility of victim cache evict logs. So the question is spectre-mtd-... stay on point and not undue ad-nauseum much?
Posted on Reply
#23
Dragonsmonk
To ask some valid questions instead of continuing the bashing of AMD vs. Intel - under what circumstance can this be used?

Same jokes as with Intel's vulns where the attacker already needs to have full admin access to the system?
Can this be used from outside sources without actual access?
Can this be exploited via malicious websites?

Those questions should be discussed here....
Posted on Reply
#24
mtcn77
At least, you cannot overshadow the real big impact as a base rate fallacy since the researchers spill the beans for you. You can bang all the drums you want, it doesn't make a spectre variant any more vulnerable than meltdown.
Posted on Reply
#25
TheoneandonlyMrK
londisteI do know the history. I would suspect better than most. Still, "nothing that is touched by Intel" is quite extreme, don't you think?
In line with the context used here, do you think we should dismiss any and all research papers Intel has been sponsoring? ;)
What events? This was disclosed to AMD last August and published now. Timing a 6-month window would seem too big of a hassle to even try.

Edit:
This is kind of weird though. Instead of discussing what the paper found, whether this has impact or merit (it should, being an academic paper which I assume is peer reviewed), we are discussing Intel because there is a sidenote in the paper that Intel supported researchers. This kind of support is not exactly abnormal.
No security notice should be dismissed only considered correctly.
We can only hope these companies work better to maintain our security and not just to maintain market share.
To be fair researchers need pay too, and if intel were not paying some other nation state would be. probably would not disclose it to the company and would develop a zero day out of it, not good.
Finally hopefully And shore up this hole soon, somehow.
Posted on Reply
Add your own comment
Dec 19th, 2024 01:00 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts